[SQLGrey] Ajout de SQLGrey dans bcfg2

darcs-hash:20090401141502-ddb99-5be811422f74da964fd9979d970b31c7eab599f4.gz
2009-04-01 16:15:02 +02:00 · 2009-04-01 16:15:02 +02:00 · 25650c116f
commit 25650c116f
parent afa36e944a
8 changed files with 220 additions and 2 deletions
--- a/Bundler/sqlgrey.xml
+++ b/Bundler/sqlgrey.xml
@ -0,0 +1,8 @@
+<Bundle name="sqlgrey">
+  <ConfigFile name="/etc/sqlgrey/sqlgrey.conf"/>
+  <ConfigFile name="/etc/sqlgrey/clients_fqdn_whitelist.local"/>
+  <ConfigFile name="/etc/sqlgrey/clients_ip_whitelist.local"/>
+  <!-- Il n'y a pas de paquet Debian (enfin, pas encore ...)
+    <Package name="sqlgrey"/>-->
+  <Service name="sqlgrey"/>
+</Bundle>
--- a/Cfg/etc/sqlgrey/clients_fqdn_whitelist.local/clients_fqdn_whitelist.local
+++ b/Cfg/etc/sqlgrey/clients_fqdn_whitelist.local/clients_fqdn_whitelist.local
@ -0,0 +1,7 @@
+# -*- coding: utf-8 -*-
+# Fichier gere par BCfg2
+#
+# A ne modifier que sur vert !
+
+# Gandi
+*.mail.gandi.net
--- a/Cfg/etc/sqlgrey/clients_fqdn_whitelist.local/info.xml
+++ b/Cfg/etc/sqlgrey/clients_fqdn_whitelist.local/info.xml
@ -0,0 +1,3 @@
+<FileInfo>
+    <Info owner='root' group='root' perms='0644'/>
+</FileInfo>
--- a/Cfg/etc/sqlgrey/clients_ip_whitelist.local/clients_ip_whitelist.local
+++ b/Cfg/etc/sqlgrey/clients_ip_whitelist.local/clients_ip_whitelist.local
@ -0,0 +1,4 @@
+# -*- coding: utf-8 -*-
+# Fichier gere par BCfg2
+#
+# A ne modifier que sur vert !
--- a/Cfg/etc/sqlgrey/clients_ip_whitelist.local/info.xml
+++ b/Cfg/etc/sqlgrey/clients_ip_whitelist.local/info.xml
@ -0,0 +1,3 @@
+<FileInfo>
+    <Info owner='root' group='root' perms='0644'/>
+</FileInfo>
--- a/Metadata/groups.xml
+++ b/Metadata/groups.xml
@ -927,12 +927,11 @@
  </Group>

  <Group name="pgsql-sqlgrey">
-    <!-- TODO: a implementer -->
    <Group name="pgsql"/>
  </Group>

  <Group name="sqlgrey">
-    <!-- TODO: a implementer -->
+    <Bundle name="sqlgrey"/>
  </Group>

  <Group name="spamassassin">
--- a/Python/etc/sqlgrey/sqlgrey.conf
+++ b/Python/etc/sqlgrey/sqlgrey.conf
@ -0,0 +1,192 @@
+info["owner"] = 'root'
+info["group"] = 'root'
+info["perms"] = 0644
+
+header()
+
+@#########################
+@## SQLgrey config file ##
+@#########################
+@
+@# Notes: 
+@# - Unless specified otherwise commented settings are SQLgrey's defaults
+@# - SQLgrey uses a specific config file when called with -f <conf_file>
+@
+@## Configuration files
+@# conf_dir = /etc/sqlgrey
+@
+@## Log level
+@# Uncomment to change the log level (default is normal: 2)
+@# nothing: O, errors only: 0, warnings: 1, normal: 2, verbose: 3, debug: 4
+@loglevel = 2
+@
+@## log categories can be fine-tuned,
+@# here are the log messages sorted by types and levels,
+@# (anything over the loglevel is discarded):
+@#
+@# grey     : (0) internal errors,
+@#	     (2) initial connections, early reconnections,
+@#	         awl matches, successful reconnections, AWL additions,
+@#	     (3) smart decision process debug,
+@# whitelist: (2) whitelisted connections,
+@#	     (3) actual whitelist hit,
+@#	     (4) whitelists reloads,
+@# optin:     (3) optin/optout global result
+@#	     (4) optin/optout SQL query results
+@# spam     : (2) attempts never retried,
+@# mail     : (1) error sending mails,
+@#	     (4) rate-limiter debug,
+@# dbaccess : (0) DB errors,
+@#            (1) DB upgrade,
+@#	     (2) DB upgrade details,
+@# martians : (2) invalid e-mail addresses,
+@# perf     : (2) cleanup time,
+@# system   : (0) error forking,
+@#	     (3) forked children PIDs, children exits,
+@# conf     : (0) errors in config files, missing required file,
+@# 	     (1) warnings in config files,
+@#	         missing optional configuration files,
+@#	     (2) reloading configuration files,
+@# other    : (4) Startup cleanup
+@# you can set a level to O (capital o) to disable logs completely,
+@# but be aware that then SQLgrey can come back to haunt you...
+@
+@# Provide a coma-separated "logtype:loglevel" string
+@# For example if you set the loglevel to 3 (verbose) but want SQLgrey to be:
+@# . quiet for whitelists
+@# . normal for greylisting
+@# uncomment the following line.
+@# log_override = whitelist:1,grey:2
+@# By default, log_override is empty
+@
+@## Log identification
+@# by default this is the process name. If you define the following variable
+@# SQLgrey will use whatever you set it to
+@# log_ident =
+@
+@## username and groupname the daemon runs as
+@user = sqlgrey
+@group = nogroup
+@
+@## Socket
+@# On which socket do SQLgrey wait for queries
+@# use the following if you need to bind on a public IP address
+@# inet = <public ip>:port
+@# default :
+@# inet = 2501    # bind to localhost:2501
+@
+@## PID
+@# where to store the process PID
+@# pidfile = /var/run/sqlgrey.pid
+@
+@## Config directory
+@# where to look for other configuration files (whitelists)
+@# confdir = /etc/sqlgrey
+@
+@## Greylisting delays
+@# If you want to be really strict (RFC-wise) use these
+@# This is *not* recommended, you'll have false positives
+@# reconnect_delay = 15    # don't allow a reconnection before 15 minutes
+@# max_connect_age = 2     # don't allow a reconnection after 2 hours
+@
+@# default: (based on real-life experience)
+@reconnect_delay = 6
+@max_connect_age = 24
+@
+@## Throttling too many new entries from new host
+@# Setting this optional parameter will refuse an excessive number of
+@# new entries in the connect table from the same host, in the following
+@# manner:
+@# - If there are already "connect_src_throttle" entries in the connect
+@#   table from the same host (e-mails which have not been retried yet)
+@# - And there is NO entry for this host in domain_awl
+@# - And there are LESS than "connect_src_throttle" entries in the
+@#   from_awl table for this host
+@# THEN further incoming connections from this host will be (temporarily)
+@# refused without new entries being created in the connect table (until
+@# some already waiting entries have been successfully retried).
+@# This feature may prevent the connect table from growing too big and
+@# being polluted by spambots, viruses, zombie machines and the like.
+@# If set to "0" (default), this feature won't be used.
+@connect_src_throttle = 5
+@
+@
+@## Auto whitelists settings
+@# default is tailored for small sites
+@# awl_age = 60
+@# group_domain_level = 2 
+@
+@# For bigger sites you may want
+@# a smaller awl_age and a bigger group_domain_level
+@# AWL must be renewed at least once a month
+@# 32 > 31 (max delay between monthly newsletters)
+@awl_age = 33
+@# wait for 10 validated adresses to add a whole
+@# domain in AWL
+@group_domain_level = 10
+@
+@## Database settings
+@# instead of Pg below use "mysql" for MySQL, "SQLite" for SQLite
+@# any DBD driver is allowed, but only the previous 3 have been tested
+@db_type = Pg
+@db_name = sqlgrey
+@# Note: the following are not used with SQLite
+@# On laisse rouge meme pour ovh, sqlgrey sait detecter s'il perd le
+@# lien avec la base.
+@db_host = rouge.adm.crans.org
+@
+@db_user = sqlgrey
+@# db_pass = spaces_are_not_supported
+@# db_cleandelay = 1800 # in seconds, how much time between database cleanups
+@# clean_method = sync # sync : cleanup is done in the main process,
+@		      #        delaying other operations
+@                      # async: cleanup is done in a forked process,
+@		      #        it won't delay mail processing
+@                      #        BEWARE: lockups have been reported
+@		      #        and are still investigated
+@
+@## X-Greylist header added?
+@# This adds delay, whitelist and autowhitelist information in the headers
+@prepend = 1
+@
+@## Greylisting method:
+@# - full   : greylist by IP address
+@# - classc : greylist by class C network. eg:
+@#            2.3.4.6 connection accepted if 2.3.4.145 did connect earlier
+@# - smart  : greylist by class C network unless there is no reverse lookup
+@#            or it looks like a home-user address
+@# Default is smart
+@greymethod = smart
+@
+@## Optin/Optout (see README.OPTINOUT for details)
+@# - none   : everyone is greylisted (default)
+@# - optin  : one must optin to have its (incoming) messages being greylisted
+@# - optout : one must optout to not have its messages being greylisted
+@optmethod = optout
+@
+@## SQLgrey return value.
+@# SQLgrey can tell Postfix to:
+@# - immediately reject a message with a temporary reject code
+@# - only do so if following rules would allow the message to pass
+@# The first choice will prevent Postfix from spending time evaluating
+@# potentially expensive rules.
+@# In some cases you may want following rules to be aware of the connection
+@# this.
+@#
+@# We can specify a different rejection strategy for the first connection
+@# attempt, and for early reconnections. 'immed' chooses immediate rejection
+@# 'delay' choose delayed rejection
+@#
+@# By default we use delay on first attempt
+@# reject_first_attempt = delay
+@# Default for early reconnection is the value affected to reject_first_attempt
+@# reject_early_reconnect = delay
+@
+@## Update server
+@# where to get updates for whitelists
+@# whitelists_host = sqlgrey.bouton.name
+@
+@## Postmaster address
+@# who gets urgent notifications (DB is down for example)
+@# default or empty: don't send mail notifications
+@admin_mail = roots@crans.org
--- a/Rules/rules.xml
+++ b/Rules/rules.xml
@ -50,6 +50,8 @@

  <Service type="deb" name="ssh" status="on"/>

+  <Service type="deb" name="sqlgrey" status="on"/>
+
  <Service type="deb" name="autofs" status="on"/>

  <Service type="deb" name="nscd" status="on"/>